Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services

How do attackers exploit the lack of this control?

Attackers search for remotely accessible network services that are vulnerable to exploitation. Common examples include poorly configured web servers, mail servers, file and print services, and DNS servers installed by default on a variety of different device types, often without a business need for the given service. Many software packages automatically install services and turn them on as part of the installation of the main software package without informing a user or administrator that the services have been enabled. Attackers scan for such issues and attempt to exploit these services, often attempting default user IDs and passwords or widely available exploitation code.

How can this control be implemented, automated, and its effectiveness measured?

1. QW: Host-based firewalls or port filtering tools should be applied on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
2. Config/Hygiene: Services needed for business use across the internal network should be reviewed quarterly via a change control group, and business units should re-justify the business use. Sometime services are turned on for projects or limited engagements, and should be turned off when they are no longer needed.
3. Config/Hygiene: Operate critical services on separate physical host machines, such as DNS, file, mail, web, and database servers.

Associated NIST SP 800-53 Rev 3 Priority 1 Controls:

CM-6 (a, b, d, 2, 3), CM-7 (1), SC-7 (4, 5, 11, 12)

Procedures and tools for implementing this control:

Port scanning tools are used to determine which services are listening on the network for a range of target systems. In addition to determining which ports are open, effective port scanners can be configured to identify the version of the protocol and service listening on each discovered open port. This list of services and their versions are compared against an inventory of services required by the organization for each server and workstation, in an asset management system, such as those described in Critical Control #1. Recently added features in these port scanners are being used to determine the changes in services offered by scanned machines on the network since the previous scan, helping security personnel identify differences over time.

Control 13 Metric:

The system must be capable of identifying any new unauthorized listening network ports that are connected to the network within 24 hours, alerting or sending email notification to a list of enterprise personnel. Every 24 hours after that point, the system must alert or send e-mail about the status of the system until the listening network port has been disabled or it has been authorized by change management. The system service baseline database and alerting system must be able to identify the location, department, and other details about the system where authorized and unauthorized network ports are running. While the 24 hour timeframe represents the current metric to help organizations improve their current state of security, in the future, organizations should strive for even more rapid alerting, with notification about an unauthorized open port on the network being sent within two minutes.

Control 13 Test:

To evaluate the implementation of Control 13 on a periodic basis, the evaluation team must install hardened test services with network listeners on ten locations on the network, including a selection of subnets associated with DMZs, workstations, and servers. The selection of these systems must be as random as possible and include a cross-section of the organization's systems and locations. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the newly installed services within 24 hours of the services being installed on the network. The test team must verify that the system provides details of the location of all of the systems where test services have been installed.

List Of Controls

• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2: Inventory of Authorized and Unauthorized Software
• Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Critical Control 5: Boundary Defense
• Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
• Critical Control 7: Application Software Security
• Critical Control 8: Controlled Use of Administrative Privileges
• Critical Control 9: Controlled Access Based on Need to Know
• Critical Control 10: Continuous Vulnerability Assessment and Remediation
• Critical Control 11: Account Monitoring and Control
• Critical Control 12: Malware Defenses
• Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
• Critical Control 14: Wireless Device Control
• Critical Control 15: Data Loss Prevention

Additional Security Controls

The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.

• Critical Control 16: Secure Network Engineering
• Critical Control 17: Penetration Tests and Red Team Exercises
• Critical Control 18: Incident Response Capability
• Critical Control 19: Data Recovery Capability
• Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps